Security And Development Must Work Together To Prevail Against Threats

Pamela Dunn

The Ponemon Institute’s 12th annual Cost of Data Breach Study contained some good news for the world’s business community. Average data breach direct costs continued their downward trend. Between 2016 and 2017, they fell by 10% from $4 million to $3.62 million per breach and from $154 to $141 per record.

But the study also found that the size of the average data breach increased by 1.8%, to more than 24,000 records. Taken together, these statistics suggest that companies are getting better at reducing breach-related costs, but they are still struggling with the equally important task of keeping their data and intellectual property safe.

Scott Johnson, director of product management for Micro Focus Fortify, a software security vendor, says companies will remain vulnerable to intrusions until they begin taking security measures at the application level. “The network perimeter is no longer viable,” he says. “While it helps with some security issues, that is not where many of today’s vulnerabilities start or are escalated by hackers.”

Security must begin in the development process

In addition to firewalls, point protection, gap analysis, user training, and other countermeasures, companies need to ensure that security is an integral part of all applications they purchase or develop. “A lot of companies are focused on security for external applications,” says Andreas Gloege, SAP director, quality assurance solutions. “But it is important to remember that about 50% of all attacks are happening on or via internal applications.”

Internal applications are particularly attractive to hackers because they often contain more sensitive information than external applications. When developing internal applications, companies need to enforce a process that compels the IT security and application development teams to work together.

“This approach is not only possible but absolutely necessary,” says Damien Suggs, Saltworks security senior technology security manager. “Security and developers have to understand that they are on the same side. Security can convey this by recognizing a finding of vulnerability that needs to be addressed and then working it through the development process until it is remediated.”

Establishing a formal role for security experts in the development process can help resolve vulnerabilities before new software is released into the wild. This more proactive approach better protects valuable data stores while allowing companies to safely leverage the competitive advantages of ubiquitous connectivity.

Companies must become more security focused

To enhance security further, companies must build security into their corporate cultures. They can pursue this objective by using education and training to create a more threat-aware workforce. Security training for IT staff also should be part of this effort since few technology workers enter the workforce with a thorough understanding of security best practices.

“One of the interesting findings in our 2017 State of Security Operations report was that only one in nine universities offer security courses as part of the requirements for a computer engineering degree,” Johnson says. “That has to change.”

Until educational institutions become more focused on security, companies will have to take responsibility for improving the competency of their technical workers. Third-party security experts can help mitigate this risk by backstopping internal resources on an as-needed basis. These vendors can be particularly useful for threat assessments and identifying vulnerabilities associated with particular systems, applications, and data stores.

Vulnerabilities are likely to increase with IoT

Even as companies act to improve their security posture, they must recognize that no security system is 100% effective. Vulnerabilities are unlikely to go away—especially as the Internet of Things is woven ever more tightly into the fabric of modern life.

As companies build their security-focused cultures, they should communicate that vulnerabilities are defects in applications and not deficiencies in the developers or security staff who are supporting the products. Since these risk factors cannot be completely eliminated, any measures taken to promote security have to be balanced with the day-to-day needs of running a business.

“Security cannot be something that is slowing down the business,” Gloege says. “Security has to be something that comes naturally into what the company is doing.”

Mitigating risk and maximizing efficiency will continue to be significant challenges. To find the right balance, companies must do more than install firewalls and security appliances. They must integrate security awareness into every job description, product offer, and development effort. There really is no other choice.

Want to learn more? Listen to the SAPRadio show “Your Application Security: The Perimeter has Moved,” and check @SAPPartnerBuild on Twitter.